Ukraine-Russia conflict puts cyber warfare front and center

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Russia’s land war in Ukraine is in some ways, an outgrowth of its long running cyberspace war. And that affects everybody, not just Ukraine. For how the current situation changes the cybersecurity picture, the Federal Drive with Tom Temin spoke with the senior director of the Center on Cyber and Technology at the Foundation for the Defense of...

READ MORE

Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.

Russia’s land war in Ukraine is in some ways, an outgrowth of its long running cyberspace war. And that affects everybody, not just Ukraine. For how the current situation changes the cybersecurity picture, the Federal Drive with Tom Temin spoke with the senior director of the Center on Cyber and Technology at the Foundation for the Defense of Democracies, retired Navy Rear Adm. Mark Montgomery.

Interview transcript:

Mark Montgomery: Right now as the United States and our European and even Asian allies now increase sanctions on the Russian financial system, such as the Russian Central Bank that happened over the weekend, and on President Putin and his closest advisors and oligarchs, as also happened over the weekend, and hopefully soon, Russian energy investments. As we increase that pressure, it’s very possible that Russia will expand its cyber campaign beyond Ukraine, where it’s hot and heavy right now, to include the United States and European targets.

Russia’s hackers, they’re not just military and intelligence, cyber units. They also include proxies that they support and enable. They have the ability to inflict damage on our critical infrastructure and on individual companies. The government recently disclosed, the U.S. government, that Russia has been persistently probing numerous U.S. critical infrastructures for over a decade. So it’s reasonable to expect that there’s malware that already exists inside critical U.S. water, energy, aviation, nuclear and critical manufacturing systems.

Tom Temin: Right, and what we’ve seen till now, especially in this whole ransomware era that we’re in is that Russian cyber hacking has mainly had a klepto motive, money motive. But it would seem now their motive is less cash, or maybe it is still is but disruption and interruption of services.

Mark Montgomery: Well, certainly in the past, the past being a year ago, the Russian government was tacitly allowing cyber criminals to operate as service entities from Russian infrastructure, and was sheltering them and shielding them from international prosecution. It’s just as likely that these criminal gangs with a wink and a nod could begin to go at either U.S. companies, or if they really want to escalate things, at U.S. critical infrastructure. And you know, to some degree, much of the private sector and that critical infrastructure is not prepared for a cyber war.

Tom Temin: Is there any particular action that operators of critical infrastructure, or banking systems, or any systems administrator, for that matter, even if you’re a defense contractor, for example, should be doing now? Is there any type of footprint that they can seek in their logs in their networks that might be helpful to preventing an attack?

Mark Montgomery: So the first thing I’d say is, you know, CISA, the Cybersecurity Infrastructure Security Agency inside the Department of Homeland Security and the FBI, and NSA have put out a series of warnings over the last three months, I think, do a good job of like stating the cyber hygiene that businesses, particularly small and medium sized businesses, should be carrying out. I think there should be an asterisk on most of those, most of those alerts that say, by the way, if you haven’t been seriously investing in cyber resilience over the last two to three years, you’re probably in trouble. But if I were to give a company advice, I’d say first of all, identity management, making sure they’re using the right passwords, the right multi-factor factor authentication, that they’re using tools that limit the ability for phishing, email phishing to occur. And then probably movement management, in other words start to restrain and to limit the access that certain personnel, even administrators have to move through systems. This will slightly lower efficiency, no doubt about it. But it will greatly increase security.

Tom Temin: Right. So scans now and pay attention to what you find. Are there any, I guess, has CISA published specific profiles of what these type of sleeperware might look like?

Mark Montgomery: So they have recently they’ve put out a couple good examples of what to expect. Now, I would say that’s limited. Especially if it’s one of the military or intelligence cyber units coming after you, an advanced persistent threat team. I don’t think that the CISA advisories are intended to really prepare you for that. They’re probably more for the proxy actors using widely available tools. But still, the access management access control, if you’re thinking about getting systems that do reasonable threat hunting inside your networks, if you have those systems and you’re paying for slightly less capable periodicity, or frequency or degree of management, I’d probably look at opening up that the wallet a little bit on that. I think you have the time. Those kinds of changes where you’re improving existing efforts, you probably can, you can still tweak your performance. If you haven’t invested in this, if you’ve taken the path of least cost, you’re probably now just hoping that you’re, you know, not the intended target.

Tom Temin: We’re speaking with retired Rear Adm. Mark Montgomery, a senior director and senior fellow at the Foundation for the Defense of Democracies. And let’s talk about the offensive side of this. We’ve been building the Cyber Command and cyber capability throughout the military now for quite some years, and understandably, they’ve been reluctant to say what they can or would do from an offensive standpoint. What’s your sense of what’s probably going on now, from our side? towards Russia? I mean, it’s not our war strictly. But let’s face it, we’re the we are the the protector here.

Mark Montgomery: So I’d say the first thought on this is, you’re absolutely right. Cyber deterrence is really a three legged stool. One is companies defending themselves, we’ve talked about that. The second is the U.S. government working closely with those companies, as much collaboration as we can. I haven’t talked too much about that. But the there’s a lot written on that. And the third part is that you maintain a capable offensive cyber operations capacity. And the U.S. government has done that both in our military and in our intelligence services. We have good offensive cyber operations, capabilities and capacities. One thing I’d say about this is, I think we’re probably preserving our cyber capability for response to attacks on our critical infrastructure, or on U.S. companies, or attacks that go into Europe, for which the European countries aren’t in a position to respond. And, you know, I would caveat also that the United States has always said, if you do a significant cyber attack on us, that impact our critical infrastructure, we reserve the right to use all kinds of different tools against you. I mean, I guess, more economic tools like sanctions, but also all types of military tools. So we preserve that.

I do think in this case, though, we’re going to be very careful with President Putin to not get into an escalatory tit for tat, and will probably respond very much, you know, equally in a non-escalatory manner against Russian attacks on our companies or infrastructure. And again, Russia would be ill served to attack our critical infrastructures that impact health and public safety, as you’re very likely to get the horns from the United States after that.

Tom Temin: Right. So I guess the follow on question would be then, just a couple days ago, Ukraine asked formally of Congress to appropriate and send arms to Ukraine to help them they would pull the trigger, it would be our arms. By the same token, do you think that we might ship them copies of our cyber capabilities and let them pull the trigger on Russia?

Mark Montgomery: I’m not. I’m not sure about that. I can say that, just like we sold Javelins and Stingers and some other systems to the Ukrainians, sporadically over the last six years in an inconsistent way that is now harming, you know, Ukraine’s ability to deter further Russian aggression. We’ve been slightly inconsistent in our cyber capability capacity building with the Ukrainians. We have spent the last six years starting and then stopping cyber capacity building efforts. Recently, I think we’ve been spending about $50 million a year, which is about a small amount. And I think some of the improved performance of the Ukrainian cyber defenses is due to that. And a lot of it’s due to the Ukrainians’ own investments in this where they’ve really done a good job. This is a lot less damage to their infrastructure through cyber that I think most of us would have postulated five days ago. There’s more to go. And we don’t know what Russia has held in reserve. But there’ll be more. I’m not sure about the idea, this isn’t like a good, to me, this is not a great hunt forward case, where you’re, you position your people side by side, as we did, maybe in Montenegro, I think is an area where the United States has said they’ve done this to help someone kind of expel Russian, cyber bad actors. I just don’t think that’s consistent with the president’s decision making on a U.S. footprint in Ukraine.

Tom Temin: Got it. So then, in some ways to I guess the consideration is, when you widely spread those capabilities to other governments, unlike Stinger missiles or Patriot missile banks are that type of thing, which have a very low chance of getting out into the wild, whereas a cyber asset is so fungible, it could end up anywhere.

Mark Montgomery: Exactly. I think that’s a good part of the case. And, you know, I definitely believe that the Javelin missiles we’re transferring to Ukraine are going to be used with the intent of disabling Russian T-72 and T-80 tanks, not anything American.

Tom Temin: Retired Navy Rear Adm. Mark Montgomery is a senior fellow and senior director at the Foundation for the Defense of Democracies. Thanks so much for joining me.

Mark Montgomery: Thank you very much. It’s a pleasure.

Related Stories